Documente Academic
Documente Profesional
Documente Cultură
1
2012 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited. Rev #09.05
1)
2)
TELECOMMUNICATIONS AND NETWORK SECURITY ..........................................................................7 Overview ...................................................................................................................................................7 Key Areas of Knowledge ........................................................................................................................7
3)
INFORMATION SECURITY GOVERNANCE & RISK MANAGEMENT ...................................................9 Overview ...................................................................................................................................................9 Key Areas of Knowledge ........................................................................................................................9
4)
SOFTWARE DEVELOPMENT SECURITY ............................................................................................... 12 Overview ................................................................................................................................................ 12 Key Areas of Knowledge ..................................................................................................................... 12
5)
6)
SECURITY ARCHITECTURE & DESIGN ................................................................................................ 15 Overview ................................................................................................................................................ 15 Key Areas of Knowledge ..................................................................................................................... 15
7)
8)
BUSINESS CONTINUITY & DISASTER RECOVERYPLANNING ............................................................ 19 Overview ................................................................................................................................................ 19 Key Areas of Knowledge ..................................................................................................................... 20
9)
LEGAL, REGULATIONS, INVESTIGATIONS AND COMPLIANCE....................................................... 21 Overview ................................................................................................................................................ 21 Key Areas of Knowledge ..................................................................................................................... 21
10)
2
2012 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited. Rev #09.05
Overview ................................................................................................................................................ 23 Key Areas of Knowledge ..................................................................................................................... 23 REFERENCES ............................................................................................................................................... 25 SAMPLE EXAM QUESTIONS ....................................................................................................................... 30 GENERAL EXAMINATION INFORMATION ................................................................................................ 31 Paper Based Test (PBT) ........................................................................................................................ 31 Any questions? .......................................................................................................................................... 34 RAL EAMINATION INFORMATION ............................................................................................................ 35 GENERAL EXAMINATION INFORMATION ................................................................................................ 35 Computer Based Testing (CBT) ............................................................................................................... 35 Registering for the Exam .......................................................................................................................... 35 ..................................................................................................................................................................... 36 Scheduling a Test Appointment ............................................................................................................. 36 Non Disclosure ........................................................................................................................................... 39 ..................................................................................................................................................................... 39 Day of the Exam ....................................................................................................................................... 39 Any questions? .......................................................................................................................................... 42
3
2012 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited. Rev #09.05
The Certified Information Systems Security Professional (CISSP) is an information assurance professional who has demonstrated a globally recognized level of competence provided by a common body of knowledge that defines the architecture, design, management, risk and controls that assure the security of business environments. This Candidate Information Bulletin provides the following: Exam blueprint to a limited level of detail that outlines major topics and sub- topics within the domains, Suggested reference list, Description of the format of the items on the exam, and Basic registration/administration policies Applicants must have a minimum of five years of direct full-time security professional work experience in two or more of the ten domains of the (ISC) CISSP CBK or four years of direct full-time security professional work experience in two or more of the ten domains of the CISSP CBK with a four-year college degree. Only one year experience exemption is granted for education. CISSP professional experience includes but is not limited to: Work requiring special education or intellectual attainment, usually including a liberal education or college degree. Work requiring habitual memory of a body of knowledge shared by others doing similar work. Management/supervision of projects and/or employees. Work requiring the exercise of judgment, management decision-making, and discretion. Work requiring the exercise of ethical judgment (as opposed to ethical behavior). Professional writing and oral communication (e.g., presentation). Teaching, instructing, training and the mentoring of others. Research and development. The specification and selection of controls and mechanisms (i.e. identification and authentication technology- does not include the mere operation of these controls). Applicable job title examples are: CISO, Director, Manager, Supervisor, Analyst, Cryptographer, Cyber Architect, Information Assurance Engineer, Instructor, Professor, Lecturer, Investigator, Computer Scientist, Program Manager, Lead, etc.
4
2012 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited. Rev #09.05
1) ACCESS CONTROL
Overview
Access Control domain covers mechanisms by which a system grants or revokes the right to access data or perform an action on an information system. Access Control systems include: File permissions, such as create, read, edit, or delete on a file server. Program permissions, such as the right to execute a program on an application server. Data rights, such as the right to retrieve or update information in a database.
CISSP candidates should fully understand access control concepts, methodologies and their implementation within centralized and decentralized environments across an organizations computing environment.
revocation)
6
2012 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited. Rev #09.05
C.4
Data communications
8
2012 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited. Rev #09.05
B.7
Due diligence
C. Understand and apply concepts of confidentiality, integrity and availability D. Develop and implement security policy
D.1 D.2 D.3 D.4 D.5 Security policies Standards/baselines Procedures Guidelines Documentation
E. Manage the information life cycle (e.g., classification, categorization, and ownership) F. Manage third-party governance (e.g., on-site assessment, document exchange and review, process/policy review) G. Understand and apply risk management concepts
G.1 G.2 G.3 G.4 G.5 Identify threats and vulnerabilities Risk assessment/analysis (qualitative, quantitative, hybrid) Risk assignment/acceptance Countermeasure selection Tangible and intangible asset valuation
I. Develop and manage security education, training and awareness J. Manage the Security Function
J.1 J.2 Budget Metrics
10
2012 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited. Rev #09.05
Resources Develop and implement information security strategies Assess the completeness and effectiveness of the security program
11
2012 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited. Rev #09.05
5) CRYPTOGRAPHY
Overview
The Cryptography domain addresses the principles, means, and methods of applying mathematical algorithms and data transformations to information to ensure its integrity, confidentiality and authenticity. The candidate is expected to know basic concepts within cryptography; public and private key algorithms in terms of their applications and uses; algorithm construction, key distribution and management, and methods of attack; the applications, construction and use of digital signatures to provide authenticity of electronic transactions, and non-repudiation of the parties involved; and the organization and management of the Public Key Infrastructures (PKIs) and digital certificates distribution and management.
B. Understand the cryptographic life cycle (e.g., cryptographic limitations, algorithm/protocol governance) C. Understand encryption concepts
C.1 C.2 C.3 C.4 C.5 C.6 Foundational concepts Symmetric cryptography Asymmetric cryptography Hybrid cryptography Message digests Hashing
D.4
Key escrow
H. Use cryptography to maintain network security I. Use cryptography to maintain application security J. Understand Public Key Infrastructure (PKI) K. Understand certificate related issues L. Understand information hiding alternatives (e.g., steganography, watermarking)
14
2012 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited. Rev #09.05
C. Understand security capabilities of information systems (e.g., memory protection, virtualization, trusted platform module) D. Understand the vulnerabilities of security architectures
D.1 D.2 System (e.g., covert channels, state attacks, emanations) Technology and process integration (e.g., single point of failure, service oriented architecture)
15
2012 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited. Rev #09.05
16
2012 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited. Rev #09.05
7) OPERATIONS SECURITY
Overview
Security Operations domain is used to identify critical information and the execution of selected measures that eliminate or reduce adversary exploitation of critical information. It includes the definition of the controls over hardware, media, and the operators with access privileges to any of these resources. Auditing and monitoring are the mechanisms, tools and facilities that permit the identification of security events and subsequent actions to identify the key elements and report the pertinent information to the appropriate individual, group, or process. The candidate is expected to know the resources that must be protected, the privileges that must be restricted, the control mechanisms available, the potential for abuse of access, the appropriate controls, and the principles of good practice.
B. Employ resource protection B.1 B.2 Media management Asset management (e.g., equipment life cycle, software licensing)
C. Manage incident response C.1 C.2 C.3 C.4 Detection Response Reporting Recovery
17
2012 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited. Rev #09.05
C.5
D. Implement preventative measures against attacks (e.g., malicious code, zero-day exploit, denial of service) E. Implement and support patch and vulnerability management F. Understand change and configuration management (e.g., versioning, base lining) G. Understand system resilience and fault tolerance requirements
18
2012 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited. Rev #09.05
19
2012 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited. Rev #09.05
C. Develop a recovery strategy C.1 C.2 Implement a backup storage strategy (e.g., offsite storage, electronic vaulting, tape rotation) Recovery site strategies
D. Understand disaster recovery process D.1 D.2 D.3 D.4 D.5 D.6 Response Personnel Communications Assessment Restoration Provide training
E. Exercise, assess and maintain the plan (e.g., version control, distribution)
20
2012 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited. Rev #09.05
21
2012 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited. Rev #09.05
E. Understand compliance requirements and procedures E.1 E.2 E.3 Regulatory environment Audits Reporting
22
2012 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited. Rev #09.05
10)
Overview
The Physical (Environmental) Security domain addresses the threats, vulnerabilities, and countermeasures that can be utilized to physically protect an enterprises resources and sensitive information. These resources include people, the facility in which they work, and the data, equipment, support systems, media, and supplies they utilize. Physical security describes measures that are designed to deny access to unauthorized personnel (including attackers) from physically accessing a building, facility, resource, or stored information; and guidance on how to design structures to resist potentially hostile acts. The candidate is expected to know the elements involved in choosing a secure site, its design and configuration, and the methods for securing the facility against unauthorized access, theft of equipment and information, and the environmental and safety measures needed to protect people, the facility, and its resources.
23
2012 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited. Rev #09.05
24
2012 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited. Rev #09.05
REFERENCES
This reference list is NOT intended to be an all-inclusive collection representing the CISSP Core Body of Knowledge (CBK). Its purpose is to provide candidates a starting point for their studies in domains which need supplementary learning in order to complement their associated level of work and academic experience. Candidates may also consider other references, which are not on this list but adequately cover domain content. Note: (ISC)2 does not endorse any particular text or author and does not imply that any or all references be acquired or consulted. (ISC)2 does not imply nor guarantee that the study of these references will result in an examination pass.
Domain
Access Control
Supplementary Reference Bertino, E., K. Takahashi, (2010). Identity Management: Concepts, Technologies, and Systems Chin, S-K., S.B. Older (2010). Access Control, Security, and Trust: A Logical Approach Ferraiolo, D.F., D.R. Kuhn, R. Chandramouli, (2007). Role-Based Access Control (2nd Edition) Kayem, A.V., S.G. Akl, P. Martin, (2010). Adaptive Cryptographic Access Control Konicek, J., (1997). Security, ID Systems and Locks: The Book on Electronic Access Control Links, C.L., (2008). IAM Success Tips (Volumes 1-3) Newman, R., (2009). Security and Access Control Using Biometric Technologies: Application, Technology, and Management Rankl, W., W. Effing, (2010). Smart Card Handbook Tipton, H.F., M.K. Nozaki, (2011). Information Security Management Handbook (2011 CD-ROM Edition) 1 Vacca, J.R., (2010). Biometric Technologies and Verification Systems Cheswick, W.R., S.M. Bellovin, A.D. Rubin, (2003). Firewalls and Internet Security: Repelling the Wily Hacker (2nd Edition) Daniel V. Hoffman, D.V., (2008). Implementing NAP and NAC Security Technologies: The Complete Guide to Network Access Control Davis, C., (2001). IPSec: Securing VPNs Hogg, S., E. Vyncke, (2008). IPv6 Security Kadrich, M., (2007). Endpoint Security
2012 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited. Rev #09.05
Luotonen, A., (1997). Web Proxy Servers Porter, T., J. Kanclirz, B. Baskin, (2006). Practical VoIP Security Prowell, S., R.Kraus, M. Borkin, (2010). Seven Deadliest Network Attacks Stevens, W.R., G.R. Wright, (2001). TCP/IP Illustrated (3 Volume Set) Wetteroth, D., (2001). OSI Reference Model for Telecommunications (ISC)2, Code of Ethics (https://www.isc2.org/ethics/default.aspx) Bacik, S., (2008). Building an Effective Information Security Policy Architecture Brotby, K., (2010). Information Security Governance Calder, A., S. Watkins, (2008). IT Governance: A Manager's Guide to Data Security and ISO 27001/ISO 27002 Hayden, L., (2010). IT Security Metrics: A Practical Framework for Measuring Security & Protecting Data Herold, R., (2010). Managing an Information Security and Privacy Awareness and Training Program, (2nd Edition) Jaquith, A., (2007). Security Metrics: Replacing Fear, Uncertainty, and Doubt Landoll, D.J., (2005). The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments Thomas L. Norman, T.L., (2009). Risk Analysis and Security Countermeasure Selection Tipton, H.F., (2009). Official (ISC)2 Guide to the CISSP CBK, (2nd Edition) 2 Whitman, M.E., H.J. Mattord, (2010). Management of Information Security (3rd Edition) Allen, J.A., S.J. Barnum, R.J. Ellison, G. McGraw, N.R. Mead, (2008). Software Security Engineering: A Guide for Project Managers Chess, B., J. West, (2007). Secure Programming with Static Analysis Clarke, J., (2009). SQL Injection Attacks and Defense Dowd, M., J. McDonald, J. Schuh, (2006). The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities Dwivedi, H., (2010). Mobile Application Security Howard, M., D. LeBlanc, J. Viega, (2009). 24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them Howard, M., S. Lipner, (2006). The Security Development Lifecycle: SDL: A Process for Developing Demonstrably More Secure Software Ligh, M., S. Adair, B. Hartstein, M. Richard, (2010). Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code Stuttard, D., M. Pinto, (2007). The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws
2012 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited. Rev #09.05
Cryptography
Boudriga, N., (2009). Security of Mobile Communications Cole, E., (2003). Hiding in Plain Sight: Steganography and the Art of Covert Communication D. Hankerson, A.J. Menezes, S. Vanstone, (2010). Guide to Elliptic Curve Cryptography Daemen, J., V. Rijmen, (2002). The Design of RijndaeL: AES - The Advanced Encryption Standard Garfinkel, S., (1994). PGP: Pretty Good Privacy Karamanian, A., S. Tenneti, (2011). PKI Uncovered: Certificate-Based Security Solutions for Next-Generation Networks Menezes, A.J., P. van Oorschot, S. Vanstone, (1996). Handbook of Applied Cryptography (Discrete Mathematics and Its Applications) Schneier, B., (1996). Applied Cryptography: Protocols, Algorithms, and Source Code in C (2nd Edition) Tennoe, L.M., M.T. Henssonow, S.F. Surhone, (2010). Tokenization (Data Security) W. Stallings, (2010). Cryptography and Network Security: Principles and Practice (5th Edition) Anderson, R.J., (2008). Security Engineering: A Guide to Building Dependable Distributed Systems 3 Challener, C., K. Yoder, R. Catherman, D. Safford, L.V. Doorn, (2008). A Practical Guide to Trusted Computing Gillis, T., (2010). Securing the Borderless Network: Security for the Web 2.0 World Higaki, W.H., Y. Higaki, (2010). Successful Common Criteria Evaluations: A Practical Guide for Vendors Kanneganti, R., P.R. Chodavarapu, (2008). SOA Security Kenan, K., (2005). Cryptography in the Database: The Last Line of Defense Petkovic, M., W. Jonker, (2010). Security, Privacy, and Trust in Modern Data Management Santos, O., (2007). End-to-End Network Security: Defense-in-Depth Shimonski, R., W. Schmied, V. Chang, T.W. Shinder, (2003). Building DMZs For Enterprise Networks Swiderski, F., W. Snyder, (2004). Threat Modeling
2012 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited. Rev #09.05
Security Operations
Aiello, R., (2010). Configuration Management Best Practices: Practical Methods that Work in the Real World Bejtlich, R., (2005). Extrusion Detection: Security Monitoring for Internal Intrusions Bosworth, S., M. E. Kabay, E. Whyne, (2009). Computer Security Handbook (2 Volume Set) Cole, E., S. Ring, (2006). Insider Threat: Protecting the Enterprise from Sabotage, Spying, and Theft Foreman, P. (2009). Vulnerability Management Fry, C., M. Nystrom, (2009). Security Monitoring: Proven Methods for Incident Detection on Enterprise Networks Hadnagy, C., (2010). Social Engineering: The Art of Human Hacking Koren, I., C.M. Krishna, (2007). Fault-Tolerant Systems Rajnovic, D., (2010). Computer Incident Response and Product Security Trost, R., (2009). Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century Bowman, R.H., (2008). Business Continuity Planning for Data Centers and Systems: A Strategic Implementation Guide Buffington, J., (2010). Data Protection for Virtual Data Centers Clark, T., (2005). Storage Virtualization: Technologies for Simplifying Data Storage and Management Hiles, A., P. Barnes, (2001). The Definitive Handbook of Business Continuity Management Little, D.B., D.A. Chapa, (2003). Implementing Backup and Recovery: The Readiness Guide for the Enterprise National Fire Protection Association, (2007). NFPA 1600 Standard on Disaster/Emergency Management and Business Continuity Preston, C., (2007). Backup & Recovery: Inexpensive Backup Solutions for Open Systems Schmidt, K., (2010). High Availability and Disaster Recovery: Concepts, Design, Implementation Snedaker, S., (2007). Business Continuity and Disaster Recovery Planning for IT Professionals Toigo, J.W., (2002). Disaster Recovery Planning: Preparing for the Unthinkable (3rd Edition) Barrett, D., G. Kipper, (2010). Virtualization and Forensics: A Digital Forensic Investigator's Guide to Virtual Environments Casey, E., (2011). Digital Evidence and Computer Crime, Forensic Science, Computers, and the Internet (3rd Edition) Ermann, M.D., M.S. Shauf, (2002). Computers, Ethics, and Society, (3RD Edition) 28
2012 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited. Rev #09.05
Garner, B.A., (2009). Black's Law Dictionary (9th edition) Kuner, C., (2007). European Data Protection Law: Corporate Regulation and Compliance Mather, T., S. Kumaraswamy, S. Latif, (2009). Cloud Security and Privacy Moeller, R.R., (2010). IT Audit, Control, and Security (2 Edition) Nissenbaum, H., (2009). Privacy in Context: Technology, Policy, and the Integrity of Social Life Prosise, C., K. Mandia, (2003). Incident Response and Computer Forensics (2nd Edition) Van Lindberg, V., (2008). Intellectual Property and Open Source: A Practical Guide to Protecting Code Alger, D., (2005). Build the Best Data Center Facility for Your Business Arata, A., (2005). Perimeter Security Damjanovski, V., (2005). CCTV, Networking and Digital Technology, (2nd Edition) Fennelly, L., (2003). Effective Physical Security, (3rd Edition) Garcia, M.L., (2005). Vulnerability Assessment of Physical Protection Systems Khairallah, M., (2005). Physical Security Systems Handbook: The Design and Implementation of Electronic Security Systems Nilsson, F., (2008). Intelligent Network Video: Understanding Modern Video Surveillance Systems Schulz, G., (2009). The Green and Virtual Data Center Snevely, R. (2002). Enterprise Data Center Design and Methodology
29
2012 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited. Rev #09.05
Local law enforcement response times Adjacent to competitors facilities Aircraft flight paths Utility infrastructure
Answer - D
2.
Rapid transmission of Internet Relay Chat (IRC) messages Creating a high number of half-open connections Disabling the Domain Name Service (DNS) server Excessive list linking of users and files
Answer - B
3. The typical function of Secure Sockets Layer (SSL) in securing Wireless Application Protocol (WAP) is to protect transmissions
between the WAP gateway and the wireless device. between the web server and WAP gateway. from the web server to the wireless device. between the wireless device and the base station.
Answer - B
30
2012 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited. Rev #09.05
31
2012 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited. Rev #09.05
turned in and accounted for before leaving the testing room. No unauthorized persons will be admitted into the testing area. Please be further advised that all examination content is strictly confidential. You may only communicate about the test, or questions on the test, using the appropriate comment forms provided by the examination staff at the test site. At no other time, before, during or after the examination, may you communicate orally, electronically or in writing with any person or entity about the content of the examination or individual examination questions. Reference Material Candidates writing on anything other than examination materials distributed by the proctors will be in violation of the security policies above. Reference materials are not allowed in the testing room. Candidates are asked to bring as few personal and other items as possible to the testing area. Hard copies of language translation dictionaries are permitted for the examination, should you choose to bring one to assist you with language conversions. Electronic dictionaries will not be permitted under any circumstances. The Examination Supervisor will fully inspect your dictionary at check-in. Your dictionary may not contain any writing or extraneous materials of any kind. If the dictionary contains writing or other materials or papers, it will not be permitted in the examination room. Additionally, you are not permitted to write in your dictionary at any time during the examination, and it will be inspected a second time prior to dismissal from the examination. Finally, (ISC) takes no responsibility for the content of such dictionaries or interpretations of the contents by a candidate. Examination Protocol While the site climate is controlled to the extent possible, be prepared for either warm or cool temperatures at the testing center. Cellular phones and beepers are prohibited in the testing area. The use of headphones inside the testing area is prohibited. Electrical outlets will not be available for any reason. Earplugs for sound suppression are allowed. No smoking or use of tobacco products will be allowed inside the testing area. Food and drinks are only allowed in the snack area located at the rear of the examination room. You must vacate the testing area after you have completed the examination. If you require special assistance, you must contact (ISC) Candidate Services (see address at the bottom of this document) at least one week in advance of the examination date and appropriate arrangements will be made. Due to limited parking facilities at some sites, please allow ample time to park and reach the testing area. Admission Problems A problem table for those candidates who did not receive an admission notice or need other assistance will be available 30 minutes prior to the opening of the doors. Examination Format and Scoring The CISSP examination consists of 250 multiple choice questions with four (4) choices each.
32
2012 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited. Rev #09.05
The CSSLP examination consists of 175 multiple choice questions with four (4) choices each. The SSCP examination contains 125 multiple choice questions with four (4) choices each. The ISSAP, ISSEP, and ISSMP concentration examinations contain 125, 150, 125 multiple choice questions respectively with four (4) choices each. The Certified Authorization Professional (CAP) examination contains 125 multiple choice questions with four (4) choices each. Also, administered in computers.
There may be scenario-based items which may have more than one multiple choice question associated with it. These items will be specifically identified in the test booklet. Each of these exams contains 25 questions which are included for research purposes only. The research questions are not identified; therefore, answer all questions to the best of your ability. There is no penalty for guessing, so candidates should not leave any item unanswered. Examination results will be based only on the scored questions on the examination. There are several versions of the examination. It is important that each candidate have an equal opportunity to pass the examination, no matter which version is administered. Subject Matter Experts (SMEs) have provided input as to the difficulty level of all questions used in the examinations. That information is used to develop examination forms that have comparable difficulty levels. When there are differences in the examination difficulty, a mathematical procedure called equating is used to make the difficulty level of each test form equal. Because the number of questions required to pass the examination may be different for each version, the scores are converted onto a reporting scale to ensure a common standard. The passing grade required is a scale score of 700 out of a possible 1000 points on the grading scale. Examination Results Examination results will normally be released, via e mail, within 4 to 6 weeks of the examination date. A comprehensive statistical and psychometric analysis of the score data is conducted prior to the release of scores. A minimum number of candidates must have taken the examination for the analysis to be conducted. Accordingly, depending upon the schedule of test dates for a given cycle, there may be occasions when scores are delayed beyond the 4-6 week time frame in order to complete this critical process. I f t h e t e s t i s a d m i n i s t e r e d v i a c o m p u t e r s , c a n d i d a t e s p a s s / f a i l s t a t u s i s p r o v i d e d a t t h e e n d o f t h e t e s t i n g o n t h e s i t e . Results WILL NOT be released over the telephone. In order to receive your results, your p r i m a r y e m a i l a d d ress must be current and any email address changes must be submitted to (ISC) Customer Support via email customersupport@isc2.org, or may be updated online in your candidate profile.
33
2012 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited. Rev #09.05
Exam Response Information Your answer sheet MUST be completed with your name and other information as required. The answer sheet must be used to record all answers to the multiple-choice questions. Upon completion, you are to wait for the proctor to collect your examination materials. Answers marked in the test booklet will not be counted or graded, and additional time will not be allowed in order to transfer answers to the answer sheet. All marks on the answer sheet must be made with a No. 2 pencil. You must blacken the appropriate circles completely and completely erase any incorrect marks. Only your responses marked on the answer sheet will be considered. An unanswered question will be scored as incorrect. Dress is business casual (neat...but certainly comfortable).
Any questions?
(ISC)2 Candidate Services 33920 US Highway 19 North Suite 205 Palm Harbor, FL 34684 Phone: 1.866.331.ISC2 (4722) in the United States 1.727.785.0189 all others Fax: 1.727.683.0785
34
2012 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited. Rev #09.05
RAL EAMINATION INFORMATION GENERAL EXAMINATION INFORMATION Computer Based Testing (CBT)
Registering for the Exam
Process for Registration Overview This section describes procedures for candidates registering to sit for a Computer Based Test (CBT). The test is administered at Pearson VUE Testing centers in the US, Canada, and other parts of the world. 1. Go to www.pearsonvue.com/isc2 to register for a test appointment. 2. Select the most convenient test center 3. Select an appointment time. 4. Pay for your exam appointment. 5. Receive confirmation from Pearson VUE with the appointment details, test center location and other relevant instructions, if any. Please note that your registration information will be transferred to (ISC) and all communication about the testing process from (ISC) and Pearson VUE will be sent to you via email. Fees Please visit the (ISC) website https://www.isc2.org/certification-register-now.aspx for the most current examination registration fees. U.S. Government Veterans Administration G.I. Bill The U.S. Department of Veterans Affairs has approved reimbursement to veterans under the G.I. Bill for the cost of the Certified Information System Security Professional (CISSP), the CISSP Concentrations (ISSAP, ISSEP, ISSMP), the Certification and Accreditation Professional (CAP), and the System Security Certified Practitioner (SSCP) examinations. Please refer to the U.S. Department of Veterans Affairs Website at www.va.gov for more details.
35
2012 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited. Rev #09.05
CBT Demonstration Candidates can experience a demonstration and tutorial of the CBT experience on our Pearson VUE web page. The tutorial may be found at www.pearsonvue.com/isc2.
36
2012 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited. Rev #09.05
Rescheduling or Cancellation of a Testing Appointment If you wish to reschedule or cancel your exam appointment, you must contact Pearson VUE at least 48 hours before the exam date by contacting Pearson VUE online (www.pearsonvue.com/isc2), OR at least 24 hours prior to exam appointment time by contacting Pearson VUE over the phone. Canceling or rescheduling an exam appointment less than 24 hours via phone notification, or less than 48 hours via online notification is subject to a forfeit of exam fees. Exam fees are also forfeited for no-shows. Please note that Pearson VUE charges a fee of US$ 20 for reschedules or cancellations. Reschedules and cancellations may be done at the (ISC) CBT Candidate Website (www.pearsonvue.com/isc2) or via telephone. Please refer to Contact Information for more information and local telephone numbers for your region. Late Arrivals or No Shows If the candidate does not arrive within 15 minutes of the scheduled exam starting time, he or she has technically forfeited his or her assigned seat. If the candidate arrives late (after 15 minutes of his/her scheduled appointment), it is up to the discretion of the testing center as to whether or not the candidate may still take the exam. If the test administrator at the testing location is able to accommodate a late arriving candidate, without affecting subsequent candidates appointments, he/she will let the candidate to sit for the exam and launch his/her exam. Any/all attempts are made to accommodate candidates who arrive late. However, if the schedule is such that the test center is not able to accommodate a late arrival, the candidate will be turned away and his/her exam fees will be forfeited. If a candidate fails to appear for a testing appointment, the test result will appear in the system as a No-Show and the candidates exam fees will be forfeited. Procedure for Requesting Special Accommodations Pearson VUE Professional Centers can accommodate a variety of candidates needs, as they are fully compliant with the Americans with Disability Act (ADA), and the equivalent requirements in other countries. Requests for accommodations should be made to (ISC) in advance of the desired testing appointment. Once (ISC) grants the accommodations request, the candidate may schedule the testing appointment using Pearson VUEs special accommodations number. From there, a Pearson VUE coordinator will handle all of the arrangements.
37
2012 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited. Rev #09.05
PLEASE NOTE: Candidates that request special accommodations should not schedule their appointment online or call the main CBT registration line.
38
2012 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited. Rev #09.05
Name Matching Policy Candidates first and last name on the presented identification document must exactly match the first and last name on the registration record with Pearson VUE. If the name the candidate has registered with does not match the name on the identification document, proof of legal name change must be brought to the test center on the day of the test. The only acceptable forms of legal documentation are marriage licenses, divorce decrees, or court sanctioned legal name change documents. All documents presented at the test center must be original documents. If a mistake is made with a name during the application process, candidates should contact (ISC) to correct the information well in advance of the actual test date. Name changes cannot be made at the test center or on the day of the exam. Candidates who do not meet the requirements presented in the name matching policy on the day of the test may be subject to forfeiture of testing fees and asked to leave the testing center.
Non Disclosure
Prior to starting the exam, all candidates are presented with (ISC) non-disclosure agreement (NDA), and are required in the computer to accept the agreement prior to being presented with exam questions. If the NDA is not accepted by the candidate, or refused to accept within the time allotted, the exam will end, and the candidate will be asked to leave the test center. No refund of exam fees will be given. For this reason, all candidates are strongly encouraged to review the non-disclosure agreement prior to scheduling for, or taking the exam. The agreement is located at www.pearsonvue.com/isc2/isc2_nda.pdf.
The Test Administrator (TA) will give you a short orientation, and then will escort you to a computer terminal. You must remain in your seat during the examination, except when authorized to leave by test center staff. You may not change your computer terminal unless a TA directs you to do so.
Raise your hand to notify the TA if you Breaks You will have up to six hours to complete the CISSP, up to four hours to complete the CSSLP and up to three hours to complete the following examinations: SSCP CAP ISSAP ISSEP ISSMP Total examination time includes any unscheduled breaks you may take. All breaks count against your testing time. You must leave the testing room during your break, but you may not leave the building or access any personal belongings unless absolutely necessary (e.g. for retrieving medication). Additionally, when you take a break, you will be required to submit to a palm vein scan before and after your break. Technical Issues On rare occasions, technical problems may require rescheduling of a candidates examination. If circumstances arise causing you to wait more than 30 minutes after your scheduled appointment time, or a restart delay lasts longer than 30 minutes, you will be given the choice of continuing to wait, or rescheduling your appointment without an additional fee. If you choose to wait, but later change your mind at any time prior to beginning or restarting the examination, you will be allowed to take exam at a later date, at no additional cost. If you choose not to reschedule, but rather test after a delay, you will have no further recourse, and your test results will be considered valid. If you choose to reschedule your appointment, or the problem causing the delay cannot be resolved, you will be allowed to test at a later date at no additional charge. Every attempt will be made to contact candidates if technical problems are identified prior to a scheduled appointment.
40
2012 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited. Rev #09.05
believe you have a problem with your computer. need to change note boards. need to take a break. need the administrator for any reason.
Testing Environment Pearson Professional Centers administer many types of examinations including some that require written responses (essay-type). Pearson Professional Centers have no control over typing noises made by candidates sitting next to you while writing their examination. Typing noise is considered a normal part of the computerized testing environment, just as the noise of turning pages is a normal part of the paper-and pencil testing environment. Earplugs are available upon request. When the Exam is Finished After you have finished the examination, raise your hand to summon the TA. The TA will collect and inventory all note boards. The TA will dismiss you when all requirements are fulfilled. If you believe there was an irregularity in the administration of your test, or the associated test conditions adversely affected the outcome of your examination, you should notify the TA before you leave the test center. Results Reporting Candidates will receive their unofficial test result at the test center. The results will be handed out by the Test Administrator during the checkout process. (ISC) will then follow up with an official result via email. In some instances, real time results may not be available. A comprehensive statistical and psychometric analysis of the score data is conducted during every testing cycle before scores are released. A minimum number of candidates are required to take the exam before this analysis can be completed. Depending upon the volume of test takers for a given cycle, there may be occasions when scores are delayed for approximately 4-6 weeks in order to complete this critical process. Results WILL NOT be released over the phone. They will be sent via email from (ISC) as soon as the scores are finalized. If you have any questions regarding this policy, you should contact (ISC) prior to your examination. Retake Policy Test takers who do not pass the exam the first time will be able to retest after 30 days. Test takers that fail a second time will need to wait 90 days prior to sitting for the exam again. In the unfortunate event that a candidate fails a third time, the next available time to sit for the exam will be 180 days after the most recent exam attempt. The retake wait time then resets after the fourth attempt starting again with a 30-day waiting period.
41
2012 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited. Rev #09.05
Recertification by Examination Candidates and members may recertify by examination for the following reasons ONLY; The candidate has become decertified due to reaching the expiration of the time limit for endorsement. The member has become decertified for not meeting the number of required continuing professional education credits.
Any questions?
(ISC)2 Candidate Services 33920 US Highway 19 North Suite 205 Palm Harbor, FL 34684 Phone: 1.866.331.ISC2 (4722) in the United States 1.727.785.0189 all others Fax: 1.727.683.0785
42
2012 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited. Rev #09.05